PHP EUVD-2023-29892

| CVE-2023-26005 HIGH
PHP Remote File Inclusion (CWE-98)
2025-06-09 [email protected]
PHP Information Disclosure
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2023-29892
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.1

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush allows PHP Local File Inclusion. This issue affects Fitrush: from n/a through 1.3.4.

AnalysisAI

PHP Local File Inclusion (LFI) vulnerability in BZOTheme Fitrush versions up to 1.3.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution depending on server configuration. While the CVSS score is 8.1 (high severity), the CVSS vector indicates high attack complexity (AC:H), suggesting exploitation may require specific environmental conditions or knowledge of the target system's file structure.

Technical ContextAI

The vulnerability exploits improper input validation in PHP file inclusion mechanisms. BZOTheme Fitrush (CPE: cpe:2.3:a:bzotheme:fitrush) fails to properly sanitize user-supplied input before passing it to PHP's include() or require() functions. This is a classic CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) vulnerability. Unlike Remote File Inclusion (RFI), this variant is limited to Local File Inclusion (LFI), meaning attackers can only access files present on the compromised server. However, LFI can still be severe if combined with log poisoning, null byte injection (on PHP < 5.3.4), or wrapper protocols (php://input, php://filter) to achieve code execution. The vulnerability affects Fitrush from an unspecified initial version through 1.3.4, indicating a long-standing issue across multiple releases.

RemediationAI

Patch/Update: Upgrade BZOTheme Fitrush to version 1.3.5 or later if available. Contact BZOTheme directly or check their official repository for patched releases.; priority: Critical Vendor Advisory: Check BZOTheme's official security advisories and update channels for confirmed patch availability and detailed mitigation guidance. Temporary Mitigation: If patching is delayed: (1) Implement strict input validation/whitelisting on any user-supplied parameters used in file includes; (2) Disable PHP file inclusion from user-writable directories; (3) Use PHP's open_basedir directive to restrict file access scope; (4) Implement WAF rules to detect and block path traversal attempts (.., /, php://, etc.); (5) Disable unnecessary PHP wrappers (stream_get_wrappers) in php.ini. Detection: Monitor web server logs for suspicious patterns: multiple ../ sequences, unusual file paths in parameters, attempts to access /etc/passwd or config files. Review error logs for failed include/require statements.

Share

EUVD-2023-29892 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy